Mike Pelley's Musings

So, I’ve been having this issue with upgrading MySQL 5.7 on a Ubuntu 16.04 server. It kept erroring out. Even uninstalling MySQL and reinstalling it did not help. Until I found this post by iqbal_cs:

root@iqbal: mysql -u root -p
Enter password:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '<your password>';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

If the error(1819) is raised, type this on the mysql terminal

mysql> uninstall plugin validate_password;

Then restart mysql: systemctl restart mysql

Finally

apt install -f

to fix broken dependencies

If error continues, enter again to mysql terminal, login: type this:

mysql> GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '<your password>'

apt -f install for the last time.

One of the “big” things of late is the push to have all websites use HTTPS to encrypt traffic to websites. As Stefan Stienne of The Verge noted in the may May 2018 article Google Chrome is removing the secure indicator from HTTPS sites in September:

Here’s a quick HTTPS refresher course: it’s a more secure 
version of HTTP, acting as a secure communication 
protocol for users and websites, making it harder for 
eavesdroppers to snoop on your packets. Your data is 
kept secure from third parties, so most modern sites are 
employing this technology, using Transport Layer 
Security (TLS) the underlying tech behind HTTPS, to do this.

What this means is that the URL bar (or omnibar, or whatever a web browser calls it) will change (using Google Chrome as the example):

Eventually it will be:

In on sense, this is somewhat agreeable. It will ensure that no one can easily snoop what is going back and forth when you connect to a website. That being said, nothing will stop an organisation breaking the TLS chain using a proxy and installing their valid SSL certificate in your browser’s certificate store. Since this certificate is self-signed, the client would receive an SSL warning message. Once the client installs the proxy’s certificate to let the browser trust the certificate, browsing websites with HTTPS will look normal and have the green padlock or no warning in the future (secure connection) in the URL bar.  This works by:

client <===HTTPS===> proxy <===HTTPS===> server
             ^                   ^
    proxy certificate      server certificate

So, unless you actually go and validate the certificate source you can still have your traffic sniffed. Many companies use SSL proxies to ensure that confidential information is not being leaked (assuming SSL decryption is being used for moral, lawful purposes). Of course I, for one, would not be surprised if something like the “Great Firewall of China” is not doing this (of course, law – and culture in some ways – comes into play here, too).

Of course, DNS servers will still know where you are going – you need to resolve an address to an IP address.

Secure Does Not Mean Trusted

All this does not mean that you should trust a website just because communications are encrypted! Anyone can get a Domain Validated (DV) certificate.That’s the way that Let’s Encrypt works. Now, I am not knocking Let’s Encrypt – I use it myself (see URL bar above).

This article on the types of certificates. Higher level certificates such as Organisation Validation (OV) and Extended Validation (EV) are a help. OV has more human intervention in the Certificate Authority (CA) validating that an actual business/organisation is reputable. This puts the organisation’s name in the certificate information. This costs money. EV certificates includes the most effort in validating a business/organisation reputation including extra documentation (See EV SSL Requirements). This costs more money and time. Chrome used to include the organisation’s name in the URL bar (it stopped doing so – I haven’t spent time finding out when but it was before Chrome 66) but Firefox, Internet Explorer and Microsoft Edge still do.

The problem is:

HTTPS ≠ TRUSTED

The website your are connecting must be trusted. Is the site trying to steal your credit card information? Is the site trying to get your personal information for spear phishing purposes? Just because the connection is encrypted (and may be doing so for other purposes than trying to make you think that their site is “trusted” – they may also be encrypting traffic to keep people from knowing what they are up to) does not mean you should trust the site!

That responsibility is up to you, dear reader. You need to determine if the site you are entering your credit card or other information is trustworthy. This means, for Chrome at least, you need to look at the certificate and determine if it is truly trustworthy. You need to look at the URL and make sure that it is really the website you are intending to visit – making sure that mybank.com isn’t actually mybonk.com.

Summing Up

Some of the good things about HTTPS everywhere is that it can (not will) help in keeping others from sniffing credit card or other personal information from your connection. Google’s eventual change of not identifying HTTPS and highlighting HTTP should help people understand when their communications can be read by other (or, maybe not so easily read is more accurate).

All that said the trust, the reputation, of where you are connecting is still up to you.

Mental note 🙂

VMware Workstation 12 Pro on Linux Mint 18.3 Sylvia does not install correctly. This apparently is not a Mint issue so much as kernel 4.13.x issue.

Spent some time in Google University trying to figure it out (maybe I AM getting old… 🙁 ).

Anyway, the solution can be found here: https://communities.vmware.com/message/2745542#2745542

ukos0vm provides the perfect fix:

cd ~/Downloads

wget https://gist.githubusercontent.com/ukos-git/e656c47025dd55b4836a980a34811637/raw/21533798c550a12ba6bf2feedf63f24324ed3713/patch-vmware12.sh

sudo bash ./patch-vmware12.sh

It is true: Time waits for no one.

Synology DS211j

My old Synology DS211j that I bought back in 2011 finally showed that it is in its not-so-golden years. With every firmware upgrade the DS211j was becoming slower and slower. File shares were taking minutes to populate, DNS was slow responding – or not at all, logins to the web page were slow – or did not complete. Even ssh connections would time out. The old Marvell Kirkwood 88F6281 at 1.2 GHz. It only has 128 MB of RAM. That is not a lot of horsepower to run the latest Synology DSM 6.1 firmware. In fact, I seem to recall that at 6.0 (or one of the subminor versions) there was a warning that it might cause slowness. Well, there is slowness and then there is s l o w n e s s.

Something had to be done. Both my loving wife and son were not so understanding when they could not connect to Netflix or Youtube (DNS lookups were timing out) and my wife was justifiably concerned when she could not access almost 7 years of digital photos. Quickly (well, not so quick – it took forever) backups to external USB hard disks and to a FreeNAS VM I had set up on my ESXi server were executed.

I have a QNAP NAS that I use for streaming digital media – it seems to do that better than the DS211j, but that might be a result of being a few years younger – but QNAP does not have all of the packages that Synology has; namely: BIND (DNS), etc. Some may suggest looking at other vendors but, in my opinion, Synology’s DSM is one of the best for SOHO (or geek-minded) solutions.

But which Synology model?

Remember, this was basically an “emergency” purchase so it was not like funds had been squirrelled away. I also needed new disks as the 1 TB are somewhat small) even though the “big” stuff like movies and music are on the QNAP) and a few years old. So this was not only the replacement of the NAS but the storage as well.

Synology DS216+II

After doing a few days of reviews and looking at prices the DS216+II was my choice with two new WD Red 2TB drives. Some will ask why not 3 or 4 TB drives but remember: this was not a planned purchase so the budget was tight.

The 216+II has much more horsepower. It has an Intel Celeron N3060 64-bit dual-core at 1.6 GHz with burst up to 2.48 GHz. It as 1 GB of RAM. The RAM is technically non-upgradeable but there are sites that document the process of how to upgrade the RAM to 4 GB. It is not that the RAM is soldered to the motherboard, it is standard laptop RAM, but it is buried under everything so that entails a more-or-less full disassembly of the NAS. NOTE: This will void your warranty!

I can also use an external drive array such as the DX513 using the eSATA port to increase space if I need it. Some would say that the DS716+II would be a better option as it would let me span the RAID array across the external enclosure (more RAM, faster CPU, too). But, in thinking about it, this is an eSATA connection and I would not want to trust that to spanning the array. Lose the connection and bad things can happen.

Okay, that was decided. Orders placed. Now, how to migrate the data?

Google is not always your friend; the search results kept returning how to migrate for DSM 5.x. DSM 6.x is the current version. After some searches on Synology’s site I found the information. (It is here if anyone is looking: How to migrate between Synology NAS (DSM 6.0 and later)). The interesting thing is that it allows you to migrate architectures by swapping the drives to the new NAS – ARM-to-x64. However, after thinking about it that is not the way I decided to go.

Why?

• The DS211j has had firmware updates for the last six years; what “junk” was lying around is a big question
• I have modified the configuration files over the past six years so there could be some “strange” things happening during the migration
• I had new disks – so why would I want to migrate then upgrade the volumes?
• I wanted to use the new Btrfs file system and I could not apparently do that with a migration
• I wanted to have the DS211j available in case something went wrong (despite backups to USB hard drives and the FreeNAS storage – which was (is still) taking up VMware VM space

How?

I had a couple of options:

• File copy – this likely would have been not only slow but there is not enough checking of file integrity that I was willing to chance
• Backup and restore – Synology’s HyperBackup is a pretty good product and, obviously, is able backup between Synology NASes. Plus, it adds checksums.

Backup and restore it was. It took over 30 hours for the backup (from the DS211j to the DS216+II). This is likely because of the older hardware encryption chip on the DS211j and that it just could not pump the data quickly enough through the gigabit Enternet port. Restore, on the other hand, took all of 50 minutes.

Once that was done I re-created the shares and permissions, shutdown the DS211j, changed the server name and IP on the DS216+II to the old DS211j’s, and restarted…

And everything seems to work! And it is fast. The best example I can give (for us “old folks”) is the performance increase we saw when moving from a Pentium 166 to a Pentium II 350. Simply amazing!

The next steps are to let the DS211j sit on the shelf for a couple of weeks to make sure that nothing is missed, set up the backups again, etc.

What to do with the DS211j? I am not sure a this point. I am considering flattening the drives and do a fresh install of DSM 6.1 and only have the DNS server running on it. (Why an internal DNS not to mention two? Well, once you start counting up the number of network devices – I have over 40 devices – that is what DNS (and DHCP) are for!)

And I’m glad that I’m indoors for the day…

Not the first 24th of May Weekend with snow but that still doesn’t sugar coat it…

When the snow first started to stay…

Snow Starting on May 20, 8:35 PM

And we woke up to this:

Snow on May 21st at 9:45 AM

Problem:

I moved servers – copying the Apache configuration and /etc/letsencrypt to the new server. Everything went well but now when I have to renew I cannot. I get all types of errors. (Yes, I KNOW that I did a really dumb thing forgetting to copy my backups as well )

Solution:

Here is what I had to do – much of it is similar to getting the “starter” Apache 2 SSL set up

• You need to create the self-signed certificates first (e.g. “sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt”)
• Once that is done, you need to create the SSL vhost files (assuming you are using virtual hosts – I am) using the self-signed certificates. You can (I did, at least) use the same self-signed certificate for each vhost. The important thing to note here is that letsencrypt must have apache running ssl already. It will not work if apache is not up and/or there are no ssl sites. (This drove me mad for a couple of hours!)
• Once this is done you can back up your /etc/letsencrypt directory (you could probably blow it away but you are probably paranoid now )
• Restart apache (e.g., apache2ctl restart – by this time I will terminate with extreme prejustice )
• Check to see if your sites are up and running. Your web browser probably will give you an insecure warning. That is okay – we will be putting real certificates in place; you just need to ensure that apache is working with ssl.
• Run letsencrypt –apache ya-da, ya-da, ya-da
• You might have to restart apache manually after it finishes but that’s okay

Now, don’t forget to:
1. Back up you letsencrypt directory (I am really paranoid now )
2. Back up your apache config files (Yes, I am really paranoid now)

One more thing:

• Make sure that the renewals are working (e.g., letsencrypt renew)
• Put that in your cron jobs so that it renews each month

I was at a local takeout restaurant and one of the servers had a tattoo that read:

You are not your mistakes

Likely, the owner of the tat has some stories that could be told and may have had some unpleasant, even life-changing, experiences.

That said, it is a good reminder for everyone! Everyone stubs their toes every now and then. Not only yourself but others too. So, keep that in mind for yourself and others…

Thinking about this past year over the holiday season there seems to have been far too many tragic events that go against the “Peace and goodwill towards men” that Christmas season is supposed to take on. That being said, remembering as a kid seeing the announcements on television that NORAD was tracking Santa and he was soon to be arriving was a wonderful thing. Time to get in bed before Jolly Old Saint Nick showed up!

In thinking about all of this it reminds me that even at the height of bad times good still rises above it all – NORAD was tracking Santa and making sure that everything would be okay. Most (likely all) of us are far too young to remember the early days of the Cold War; however, many
of us do remember the U.S. bases in Newfoundland and Labrador. Even in the most stressful of time the good rises to the top. So, here is the story…

On Dec. 24, 1955, a call was made to the Continental Air Defense Command (CONAD) Operations Center in Colorado Springs, Colo. However, this call was not from the president or a general. It was from a young child in Colorado Springs who was following the directions in an advertisement printed in the local paper – the youngster wanted to know the whereabouts of Santa Claus.

The ad said “Hey, Kiddies! Call me direct and be sure and dial the correct number.” However, the number was printed incorrectly in the advertisement and rang into the CONAD operations center.

On duty that night was Colonel Harry Shoup, who has come to be known as the “Santa Colonel.” Colonel Shoup received numerous calls that night and rather than hanging up, he had his operators find the location of Santa Claus and reported it to every child who phoned in that night.

Thus began a tradition carried on by the North American Aerospace Defense Command (NORAD) when it was formed in 1958. Today, through satellite systems, high-powered radars and jet fighters, NORAD tracks Santa Claus as he makes his Yuletide journey around the world.

Every year on December 24, fifteen hundred volunteers staff telephones and computers to answer calls and e-mails from children (and adults) from around the world. Live updates are provided through the NORAD Tracks Santa Web site (in seven languages), over telephone lines, and by e-mail to keep curious children and their families informed about Santa’s whereabouts and if it’s time to get to bed.

Each year, the NORAD Tracks Santa Web Site receives nearly nine million unique visitors from more than 200 countries and territories around the world. Volunteers receive more than 140,000 calls to the NORAD Tracks Santa hotline from children around the globe.

This year, children and the young-at-heart are able to track Santa through Facebook, Twitter and YouTube.  To follow us on any of these Web sites, type in @noradsanta into the search engine and start tracking.

NORAD Tracks Santa has become a magical and global phenomenon, delighting generations of families everywhere.

For more information about NORAD Tracks Santa, please visit www.noradsanta.org

So those of us who have young kids who still have the wonder of Santa Claus (and the older of us who still do!) we can still follow the Jolly Old Elf as he makes his trek around the world. (And, maybe, just maybe, get the kids in bed early!)

Yeah, yeah, yeah… I’ve posted more this month in, like, for’ever… It’s like tubular, dude…

Yes, channeling my inner 80’… Did I ever talk about how 1984 seems to have the best albums ever:

• Iron Maiden – Powerslave (not quite as good as Piece of Mind though) for Aces High and 2 Minutes to Midnight (Cold War teen)
• Judas Priest – Defenders of the Faith for Some Heads are Gonna Roll
• Dio – The Last in Line for The Last in Line
• Ratt – Out of the Cellar for Wanted Man and Round and Round
• Mercyful Fate – Don’t Break the Oath; well, this is because I still remember one of my good buddies, Dwayne (“Spike”), trying his hand at poetry and ending up with “Me mother likes Mercyful Fate, After me quarter ounce she did ate”
• Dokken – Tooth and Nail for Into the Fire
• Scorpions- Love at First Sting for Rock you Like a Hurricane and Still Loving You
• Helix – Walkin’ the Razor’s Edge for Rock You and Gimme Gimme Good Lovin’ – And one of my buddies older brother’s off-the-air recording that included the Q104 (Halifix, Canada – I think) readout to the beat of “Give me a Q, Give me a 1…” like the actual beginning of the song “Give me a R…”
• Van Halen – 1984 for Panama (I liked that cut the best), Panama and Hot for Teacher (although for a 16-year-old this video was better than Panama)
• Bruce Springsteen – Born in the U.S.A. for the entire album. Kinda cool how far that unknown girl went from the Dancing in the Dark video. Personally my melancoly-side liked Downbound Train and My Hometown.
• U2 – The Unforgettable Fire – Pride (In the Name of Love) really hooked me
• Prince – Purple Rain for When Doves Cry (my favorite), Let’s Go Crazy, Darling Nikki (funny as hell) – damn, pretty well all the cuts
• Don Henley – Building the Perfect Beast for The Boys of Summer (I could see the scene in my mind’s eye) and All She Wants to Do Is Dance (can you say Iran-Contra fellow Cold War teeens?)
• The Cars – Heartbeat City for Hello Again, You Might Think (what the frack was it with that freaking fly?)
• Alphaville – Forever Young (gotta put that one in – Hi skool grad song)
• The Icicle Works – The Icicle Works for Birds Fly (Whisper to a Scream)
• Nena – 99 Luftballoons (gotta be a Cold War teen to understand it…) (Years later thanks to this Internet thing I checked out the actual German words. Same sentiment but I think that the German is a better expression. Unfortunately I don’t think that you could get it to rhyme correctly in English.) (No, she is not dead… Damn, there should be some QA/QC for it. Don’t you think so Facebook?)

Anyway, I digress – again. I do say I wonder about this and that. Maybe it should be wander about this and that.

My old web server was getting a little long in the tooth. Not from a horsepower perspective but from supportability. My previous post on the Let’s Encrypt TLS web server encryption smacked me in the head with warning that with CentOS 6.8 (Final) Python was no longer supported. Likely (from Red Hat experience) CentOS would have kept Python 2.6 patched (at least I think it was 2.6, I blew away the VM) would have meant going outside the normal repositories. Also PHP was getting a little dated and, frankly, the Apache config files were a freakin’ mess after being migrated from different servers and versions of CentOS four-or-five times (think: PHP upgrades, Apache upgrades).

So, what to do…

Plan an migration to a new, mainstream supported server keeping in mind:

1. Let’s Encrypt certificates needed to be moved
2. Apache config files had to be rewritten to be current (and keep the Let’s Encrypt certificates)
3. WordPress Blog (this thing) had not only to be moved but the MySQL database upgraded
4. General crap such as securing the OS, PKI keys and the like
5. Oh year, make sure that wx.pelleys.com kept working (which has about 10 times the Twitter followers than yours truly does :-()

Anyway, it took about 10 days in calendar time. Effort time? About 10-12 hours. Biggest hangup: Moving WordPress and upgrading. Thing not to worry much about: Move the Let’s Encrypt certificates (which will be much easier of you have clean Apache config files).

Why WordPress being a pain in the arse? Part if it seems to be from WordPress 4.7 and the security lockdown.

Issues:

• Plugins want to be ftp uploaded. Who the frack uses ftp? Need to change the config files to allow upload.
  • Need to add to

    • wp-config.conf

    • "define('FS_METHOD','direct');"

  • See http://www.hongkiat.com/blog/update-wordpress-without-ftp/
• Directory permissions did not want to allow uploads (grumble, grumble, pain-in-the-arse)

Good thing: Added two factor authentication miniOrange two-factor to WordPress with Google Authenticator.

Colo-Serve Communications

I have to give my VPS hoster, Colo-Serv Communications in Montreal a two tumbs up for helping my migration. Not only are these folks very cost effective but the support is number one. For example: in this exercise I decided to ask if I could have two VPSes running (the current and the new one) as I migrated. I was thinking two-or-three days before I got a yes-or-no and then another couple of days as the new VPS was stood up.

Nope, about 30 minutes after my request I got my answer: no problem.

About 5 minutes after that: your VPS is provisioned, here is your access information. Fill your boots.

That, folks, is what I call good customer service. Credit where credit is due!

Well, I have most of the Pelleys.com web sites migrated to TLS certificates. (I want to say SSL but “SSL” is obsolete.) I have actually wanted to do this for some time but I did not want to pay for the privilege. However, on October 8, 2016, Google announced on the Google Security Blog that “(b)eginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure” and that “(e)ventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” So, I decided to get my arse into gear and do something about it.

A quick web search led me to Let’s Encrypt which is a “free, automated, and open” certificate authority.  The list of current sponsors for Let’s Encrypt is quite impressive including Mozilla, Akamai, Cisco, Chrome and (of course) the EFF. The documentation is pretty good but, as Let’s Encrypt notes, this is beta so…

The biggest problem I had is likely related to the fact that www.pelleys.com, blog.pelleys.com and wx.pelleys.com have been migrated one to many times between various versions of CentOS and Apache and my config files are, to be charitable, a mess. After some messing around I determined that when using VirtualHost what seems to work for me was for each individual VirtualHost I had to use:

<path>/certbot-auto -d full_fqdn_virtualhost -d full_fqdn_virtualhost

Maybe (likely?) I missed that in the many examples but if someone finds this useful – Great!

The only thing that I that Let’s Encrypt is lacking, from my perspective, is that:

1. It is *nix-centric – not a big issues since I use Ubuntu and CentOS; and
2. I have yet to determine how to put the Let’s Encrypt certificates on a firewall (e.g., for SSL-VPN connections). This may be likely, in my opinion, that those using SSL-VPN connections are businesses not home geeks like me 🙂 I will keep digging. If I find out something I will post it.

The other bit is that if you are using WordPress – you likely noted that I do since you are reading this post 🙂 – that once you upgrade the at the web server level (e.g., Apache) the site will still be “broken” since the inpage links to graphics, etc., are listed as HTTP instead of HTTPS. To fix this install the Really Simple SSL plugin for WordPress and follow the instructions.